The field of invention is computer networking, and more specifically a system for sharing network state among related TCP connections to enhance network throughput.
Transmission Control Protocol (TCP) is a common and well-known protocol for transmitting data between computers over a network such as the Internet. The TCP standard is defined in RFC 793, Transmission Control Protocol. TCP divides a file or other data into packets, numbers the packets, then transmits them over a network. TCP keeps track of these packets, and reassembles them at their destination back into their original configuration. TCP is a connection-oriented protocol, which means that a connection is established between the machine transmitting data and the machine receiving data, and that connection is maintained until all of the data to be exchanged between the machines has been transmitted. The TCP standard is almost universally used in transmitting data across the Internet between a server and a client.
Data transmission over a network creates security concerns. A common method of combating threats to the security of a computer, or the security of an internal network such as a corporate network, is to provide one or more machines known as firewalls between the internal network and an external network. A firewall typically filters network packets received from the external network to determine whether to forward them to their destination on the internal network. A common type of firewall is a proxy server that makes requests to the external network on behalf of users of the internal network. For example, a user on the internal network may wish to browse a web page. Rather than connecting directly to the server, the user would connect to the proxy server, which would request the web page from the external server on behalf of the user, then examine the data served based on the access control policy implemented by that firewall. This process is typically invisible to the user.
A firewall enforces an access control policy between two networks. The firewall makes a policy decision for an individual connection based on information limited to that single connection. This information may include packet contents, source and/or destination addresses and ports, or other information. However, information regarding overall network conditions is not available at the firewall during connection setup, which is where the policy decision must be made. Instead, each TCP connection 10 has a separate TCP control block 20 that is not communicated between individual connections, as shown in FIG. 1. The TCP control block 20 is known in the art, and includes state information for a single TCP connection 10. Thus, current firewalls do not take advantage of traffic locality (i.e., repeated network transactions) between client/server pairs. Especially for proxy firewalls utilizing TCP, this may result in lower throughput than would otherwise be possible, due to the adverse impact of the slow-start data transmission mechanisms built into TCP. This process is time-consuming, relatively speaking, and typically results in decreased firewall throughput.